Authorization Statements

Each ACL entry can include one or more authorization statements. Authorization
statements specify who is allowed or denied access to a server resource. Use
the following syntax to write authorization statements:

allow|deny [absolute] (right[,right...]) attribute expression;

Start each line with either allow or deny.
Because of the hierarchy rules, it is usually a good practice to deny access
to everyone in the first rule and then specifically allow access for users,
groups, or computers in subsequent rules. That is, if you allow anyone access
to a directory called /my_stuff, and you have a subdirectory /my_stuff/personal that allows access to a few users, the access
control on the subdirectory will not work because anyone allowed access to
the /my_stuff directory will also be allowed access to
the /my_stuff/personal directory. To prevent this, create
a rule for the subdirectory that first denies access to anyone and then allows
it for the few users who need access.

In some cases, if you set the default ACL to deny access to everyone,
your other ACL rules do not need a deny all rule.